[Snort-sigs] multiple interfaces

Jason security at ...704...
Thu May 20 19:30:01 EDT 2004


Jason Haar wrote:
> On Wed, May 19, 2004 at 10:55:22PM -0400, Jason wrote:
> 
>>to watch all interfaces
>>
>>snort -i any
>>
>>to selectively ignore a specific interface
>>
>>snort -i any not ether dst [MAC address]
>>
>>Eg: snort -i any not ether dst 00:D0:B7:92:4A:53
>>
> 
> 
> That won't work will it? I mean, snort runs in promisc mode, so the dst
> Ethernet address isn't a Snort MAC - it's another host. So excluding the MAC
> addresses assosiated with Snort will just stop you seeing traffic *aimed* at
> that address - not traffic passing it.
> 
> (this assumes the question was: "how do I monitor 5 Ethernet interfaces
> except for int 3" - my answer is "4 instances of snort")
> 

Correct. My assumption was that the interfaces that were to be negated 
were the actual interfaces used to manage.

If you do not want to put the interface in promisc you would have to go 
with 4 instances or only bond the interfaces you are looking for 
together and snort the bond.

That all takes much longer to explain and is more appropriate for the 
FAQ or a manual.






More information about the Snort-sigs mailing list